Corporate Compliance

Group Regulation Data Protection and Personal Data Privacy within the Bayer Group

In support of our global business processes, it is essential that the necessary information and data are provided throughout the Bayer Group. The company’s international operations require it to comply with the various legal requirements in different countries and regions. At the same time, adequate protection must be accorded our business partners and our employees.

The transfer of personal data across national borders is only permissible if such data are properly protected or if the units of the company that process the data can give an adequate guarantee that the privacy of the individuals whose data are transmitted is being protected. This Corporate Directive on Data Protection and Personal Data Privacy, when applied in conjunction with the Directive on IT Security, is designed to ensure that all Group com-panies meet this requirement. This Corporate Directive has been agreed with the German regulatory authorities.

1. Introduction

For an innovative global company such as Bayer, the acquisition and meaningful use of information is of immense importance to achieving corporate objectives in all areas of business. Contemporary communication channels such as the Internet, intranets and e-mail play an essential part in accessing and exchanging information. They allow Bayer to prepare and implement corporate decisions faster and more effectively than in the past.

However, improvements resulting from developments in information technology also entail greater risks, which have to be taken into account by ethical enterprises such as Bayer. For instance, personal rights could be violated by the improper or incorrect use of information technology. In this regard, Bayer strives to protect the personal rights of any individual whose personal data it processes – including its employees, customers, suppliers and other contractual partners, interested persons, subjects and patients in clinical trials – regardless of the means or methods of collection of such personal data. In this context, Bayer has issued the following Corporate Directive that applies throughout, and is binding upon, the Bayer Group1 and relates to data protection and personal data privacy. This Corporate Directive implements one aspect of the Program for Legal Compliance and Corporate Responsibility at Bayer.

2. Objective

This Corporate Directive has the objective of defining security standards for processing, storing, and transferring personal data within the Bayer Group in order to ensure adequate protection of personal rights of the affected data subjects. Complying with the Corporate Directive is a requirement for the free exchange of personal data within the Bayer Group.

3. Scope

This Corporate Directive governs all data privacy issues. It applies to the processing of the personal data of any individual whose personal data are processed within the Bayer Group, including employees, customers, suppliers, other contractual partners, subjects and patients in clinical trials, interested persons and other parties, regardless of the origin of the data. The data protection and data security standards of this Corporate Directive are binding upon all Bayer Group entities.

Existing legal obligations – both national and international – shall prevail over this Corporate Directive in countries where the collection or processing of personal data occurs. Every recipient of data must therefore check whether those regulations apply in his/her field of responsibility and ensure compliance. However, where data privacy requirements under national or international law are less strict than under this Directive, this Directive shall prevail. In certain countries, the data protection authorities require notification from the data controller before any wholly or partially automated processing of personal data is performed. Each Bayer Group entity is responsible for complying with any notification obligations in their respective countries. The transfer of personal data to government authorities and agencies is only permissible in accordance with the respective applicable national laws.

Whenever a corporate unit has reason to believe that applicable statutory regulations are preventing it from fulfilling its obligations under mandatory internal company regulations and are significantly detrimental to the guarantees provided for thereunder, it shall notify Bayer AG headquarters immediately unless prohibited from doing so by a law enforcement agency under national law.

Bayer AG shall then make a responsible decision on the matter in consultation with the Corporate Privacy Officer and shall notify the respective national data protection authority accordingly.

4. General Principles for Processing Personal Data

4.1 Permissibility of Data Processing
The processing of personal data is permitted only if the data subject has consented thereto or if permissible under applicable law at the place of processing. The permissibility of processing personal data is a prerequisite for the transfer of personal data pursuant to Section 5.

Consent shall be declared in writing or by other legally permissible means, whereby the data subject must be informed in advance about the purpose of such processing of personal data and the possible transfer of personal data to third parties. The declaration of consent must be highlighted when included as part of other statements so as to be clear to the data subject..

4.2 Intended Purpose
Personal data may only be collected for specified, explicit and legitimate purposes and may not be further processed contrary to such intended purpose. The purpose of the data transferred by another Bayer company is to be considered by the recipient when further processing and storing this data. Changes of purpose are only permissible with the consent of the data subject or if permitted by national law in the respective country from which personal data are transferred.

4.3 Data Economy
The processing of personal data must be necessary for the intended purpose. Available possibilities for the anonymization or pseudonymization of personal data should be used at an early stage, as far as this is possible and the cost is appropriate to the intended protective purpose. This applies in particular with regard to the personal data of subjects and patients in clinical trials.

4.4 Data Quality
Personal data must be factually correct and, as far as necessary, up-to-date. Appropriate and reasonable measures should be undertaken to correct or delete incorrect or incomplete data.

4.5 Data Security
The data controller shall implement appropriate technical and organizational measures to ensure the necessary data security. These measures refer in particular to computers (servers and workstations), networks and communication links, and applications; they are embedded in the IT security management system of the Bayer Group. The essential measures which have been implemented within the Bayer Group to avoid the unauthorized processing of personal data include, among other things, controls of e.g.:

In addition, appropriate measures need to be taken to protect such data against deletion by chance, unauthorized deletion or loss. Full particulars are regulated in the IT Security Directive.

4.6 Confidentiality of Data Processing
Only authorized staff, who have undertaken to observe data secrecy requirements, are allowed to be involved in the processing of personal data. It is prohibited for them to use such data for their own private purposes or to make it accessible to any unauthorized entity. Unauthorized in this context also means the use of personal data by employees who do not need access to such data to fulfill their employment duties. The confidentiality obligation survives termination of employment.

4.7 Special Categories of Personal Data
The collection and processing of sensitive data are generally prohibited and allowed only if:

  • the data subject has explicitly declared his/her consent; or
  • the data subject has obviously made public such data; or
  • it is necessary for the protection of a vital interest of the data subject or a third party, and the data subject is not able for physical or legal reasons to declare his/her consent; or Data Protection and Personal Data Privacy Group Regulation No. 1915 within the Bayer Group Effective: January 1, 2008 Page 8 of 14
  • it is necessary for the exercise, enforcement or defense of legal claims and it cannot be expected that the justified interests of the data subject not to collect or process personal data prevail; or
  • it is necessary for the performance of scientific research, the scientific interest in performing the research project prevails over the interests of the data subject not to collect or process personal data, and if the purpose of the research cannot be achieved otherwise or only with disproportionately high effort.

Furthermore, pharmaceutical research and development is subject to numerous national and international legal provisions which especially protect the personal rights of the data subject in respect of the processing of sensitive data2. Depending on the category of sensitive data and the risks associated with the intended use, appropriate security and safety measures pursuant to Section 4.5 will be taken (e.g. technical security devices, encryption and limitation of physical access).

  • physical access to data processing systems;
  • logical access to data processing systems,
  • logical access to data processing applications;
  • input of data into data processing systems; and
  • transfer of data by means of data transmission.
  • the data subject has obviously made public such data; or
  • it is necessary for the protection of a vital interest of the data subject or a third party, and the data subject is not able for physical or legal reasons to declare his/her consent; or
  • it is necessary for the exercise, enforcement or defense of legal claims and it cannot be expected that the justified interests of the data subject not to collect or process personal data prevail; or
  • it is necessary for the performance of scientific research, the scientific interest in performing the research project prevails over the interests of the data subject not to collect or process personal data, and if the purpose of the research cannot be achieved otherwise or only with disproportionately high effort.

4.8 Contract Data Processing
If a Bayer Group entity or other entities act as the principal or contract data processor within the scope of a contract relating to the processing of personal data, the following shall apply:


  •  A contract data processor shall be selected who will guarantee the technical and organizational security measures required for processing personal data and provide sufficient guarantees with respect to the protection of personal rights and the exercise of rights related thereto. The latter is the case at Bayer Group entities to which this Corporate Directive applies. Otherwise, such guarantees may have to be secured by obligating the contract data processor to observe the general principles of this Corporate Directive or by applying the standard contractual clauses provided by the European Union (EU).
  • The processing of personal data by a contract data processor must be regulated in a written agreement in which the rights and duties of the principal and of the contract data processor are specified.
  • The contract data processor is contractually obligated to process personal data only within the scope of the contract and the directions issued by the principal. Personal data may not be processed for any other purpose.

    The principal remains the data controller of the personal data and the contact partner for data subjects.

    4.9 Automated Decisions Affecting Data Subjects
    Certain countries provide in their legal provisions restrictions relating to automated decisions that affect data subjects. This applies to decisions which are the result of automated personal data processing having legal consequence for the data subject or a negative effect on him/her. In those exceptional cases in which such automated decisions are rendered by Bayer Group entities, the data subjects will be notified about the occurrence of such an automated decision affecting data subjects and shall be given the possibility of commenting on or questioning the decision. In such case the decision must be reviewed again.

5. Transfer of Personal Data

A transfer of personal data within the European Economic Area3 (EEA) is generally permitted if processing of the data is also permitted according to Section 4.1.

For transfer of personal data within the country in which data has been collected, compliance with the existing legal requirements of the respective country must be ensured.

5.1 Transfer of Personal Data from the EEA to Third Countries
Based on Section 4.1 of this Corporate Directive, the transfer of personal data from an EEA country to a third country is permitted only if:

  • the data subject has explicitly given his/her consent; or
  • the transfer of personal data is necessary for the performance of a contract between the data subject and the data controller or in order to take steps prior to entering into a contract initiated by the data subject; or
  • the transfer of personal data is necessary to complete or to fulfill a contract which was made or is to be made with a third party by the data controller in the interest of the data subject; or
  • the transfer of personal data is either required or prescribed by law for the protection of an important public interest or for the exercise, enforcement or defense of legal claims; or
  • the transfer of personal data is necessary for the protection of a vital interest of the data subject; or the transfer of personal data to a third country which the European Commission has deemed to have an adequate data protection standard4; or
  • the receiving party provides sufficient guarantees within the meaning of this Corporate Directive with respect to the protection of personal rights and the exercise of rights related thereto. This is the case for Bayer Group entities to which this Corporate Directive applies.


If the recipient is not a Bayer Group entity, it must be ensured that this Corporate Directive applies to the recipient accordingly. The Bayer Group entity transferring personal data will take appropriate measures in case of violations by the recipient.

5.2 Transfer of Personal Data within a Third Country or to another Third Country
The further transfer of personal data which have been transferred from the EEA to a recipient within the third country or to another third country is only permitted, subject to Section 4.1, if such third country has an adequate data protection standard or if one of the circumstances described in Section 5.1 of this Corporate Directive applies. In any case, the Bayer Group entity in the EEA which transferred the personal data shall be informed prior to a further transfer of personal data within the third country or to another third country.

5.3 Provision of Operational Address, Function and Communication Data
For the purpose of internal corporate communication it is permitted to provide operational address, function and communication data including information on cost centers - for instance via intranet or central Lotus Notes directories – within the Bayer Group to the extent necessary for that purpose. The restricted purpose of the data of all users must be borne in mind.

6. Rights of the Data Subject

6.1 Information Right
Each data subject has the right to demand information about the type of personal data concerning him/her that is processed by a Bayer Group entity. This information will be provided irrespective of the place where the personal data are processed. The data subject may address any such application for information to the local human resources department of the respective Bayer Group entity (see also Section 7.3). The specialist departments must provide the necessary support.

6.2 Correction Claim
If the stored personal data are incorrect or incomplete, the data subject may require correction. Data subjects are responsible for providing only correct personal data to the respective Bayer Group entity. In addition, data subjects shall inform the respective Bayer Group entity of any relevant changes (e.g. changes of address or name).

6.3 Rejection of Request for Information or Correction
If the request for information or correction is rejected, the data subject will be informed about the reason for such rejection.

6.4 Deletion
If the data subject demonstrates that the purpose for which the personal data are processed is no longer permissible, necessary or reasonable under the circumstances, the respective personal data will be deleted, subject to legal provisions to the contrary.

6.5 Right to Object
Each data subject has the right to object if his/her personal data are used for advertising purposes or for the purpose of market or opinion research. If required by national law, the data subject shall be informed about the right to object (opt-out) and about the data controller. In this case, the personal data must be blocked for this purpose. It must also be noted that some countries require consent prior to the processing of personal data for the purposes mentioned above (opt-in). Furthermore, the data subject has a general right to object to the processing of his/her data. This objection must be heeded if an investigation shows that the need for protection of the subject’s interests in light of his/her special personal situation outweighs the interest that the responsible unit would have in processing his/her data. Such objection shall not, however, be heeded if processing of the subject’s data is mandatory under applicable law.

6.6 Questions and Complaints/Remedies
Regarding possible questions, complaints or remedies please refer to Section 7.3.

7. Procedural Rules

7.1 Implementation within the Bayer Group
The Group companies, as data controllers, must ensure compliance with the principles embodied in this Corporate Directive. In this respect, the managerial employees of the Bayer Group entities shall ensure that this Corporate Directive is implemented, which includes in particular providing information to the employees. Should additional training be required, the Corporate Privacy Officer or his/her local representative should be approached. Information shall also include emphasizing that violation of the general principles of this Corporate Directive may possibly entail consequences under criminal, liability or labor law.

7.2 Corporate Privacy Officer
A Corporate Privacy Officer will be appointed by the Board of Management of Bayer AG to monitor compliance with this Corporate Directive. If necessary, the Corporate Privacy Officer will be supported by local representatives (Regional Privacy Officers), who are responsible for ensuring data protection in the legal entities and shall also inform the Corporate Privacy Officer in case of complaints.

Such local representatives shall follow the instructions of the Corporate Privacy Officer. Where a Regional Privacy Officer also assumes the function of a Legal Entity Privacy Officer, he/she shall cooperate closely with the Corporate Privacy Officer but shall not be bound by the latter’s instructions. In their duties as defined in this Corporate Directive, the Corporate Privacy Officer and his/her local representatives are not bound by instructions from management.

The managerial employees of the Bayer Group are obligated to support the Corporate Privacy Officer and his/her local representatives in the exercise of their duties.

If you have any questions please contact the Corporate Privacy Officer: E-mail

Please contact our Corporate Privacy Officer to get a list of the local representatives

7.3 Questions and Complaints/Remedies
Data subjects may contact the Corporate Privacy Officer or his/her local representatives at any time with any questions and complaints regarding the processing of personal data. Such questions and complaints will be treated confidentially.

If a question or complaint raised by a data subject relates to an alleged violation of this Corporate Directive by a Bayer Group entity located in a country other than the country in which the data subject resides, the data subject may contact the Bayer Group entity which transferred the data. Should the alleged violation be confirmed, the Bayer Group entities affected will cooperate with the respective parties (e.g. data protection agencies, other entities) in line with this Corporate Directive and remedy such alleged violation.

If the issue raised by a data subject is not remedied, the data subject may file a complaint with the Corporate Privacy Officer. The Corporate Privacy Officer will inform the data subject about his/her decision and the respective remedies. The procedures described in this Corporate Directive apply in addition to any other legal remedies and procedures available to the data subject, including the right of the data subject to submit questions and complaints to the responsible data protection agency.

7.4 Obligation towards Data Protection Agencies
The party receiving personal data transferred from the EEA to a third country and the Corporate Privacy Officer are obligated, upon request, to cooperate with the data protection agency of the country in which the transferring party is located and to respect its findings, provided that these have been rendered following due process of law with respect to the transferring and receiving parties. The transferring party in the EEA also has the right to review the processing of personal data by the receiving party.

7.5 Amendment of the Corporate Directive and Continued Application
Bayer reserves the right to amend this Corporate Directive as necessary, for instance to comply with changes to statutes, regulations, requirements of data protection agencies or internal Bayer procedures. Where required by law, Bayer will submit any amended version for regulatory review.

Should this Corporate Directive become invalid, irrespective of the reasons or causes for such invalidity, all Bayer Group entities are bound by this Corporate Directive with respect to personal data transferred prior to the date of such invalidity, unless the Corporate Directive has been replaced by a new regulation.

7.6 Publicity
The current version of this Corporate Directive shall be made available to all data subjects in a suitable manner, e.g. via the Intranet or Internet.

7.7 Relationship to other company regulations
Should other company regulations conflict with this Corporate Directive, this Corporate Directive shall take precedence.

8. Definitions

Anonymization is the changing of personal data such that this can no longer be assigned to a certain or ascertainable individual.
Consent is any freely given, informed declaration by the data subject that he/she accepts the processing of his/her personal data. Consent may be subject to particular requirements arising from respective national laws.
Contract data processor is the individual or legal entity that processes personal data on behalf of a data controller.
Data controller is the legally independent Bayer Group entity that decides the purposes and means of processing personal data.
Data protection/privacy is the sum of all actions taken to protect the personal rights of data subjects when handling their personal data.
Data subjects are all individuals whose personal data are processed within the Bayer Group, including current, future and former employees, customers, suppliers and other contractual partners, interested persons, subjects and patients in clinical trials.
Legal Entity Privacy Officer is the person officially named to monitor internal data protection at a legal entity in the Bayer Group. He/she reports to the management of that legal entity under local law without being bound by management’s instructions.
Personal data are any information relating to an identified or identifiable individual. An individual is identifiable if he/she can be directly or indirectly identified, e.g. by assigning a reference number.
Processing of personal data is any automated or non-automated operation or set of operations performed in respect of personal data – such as collection, recording, storage, adaptation, alteration, selection, retrieval, use, transmission, blocking, deletion or erasure. This definition will also apply to the word “processed” when used in this context.
Pseudonymization is the replacement of a data subject’s name and other identifiable characteristics with a label for the purpose of preventing identification of the data subject by unauthorized parties or to greatly impede such identification.
Regional Privacy Officer is the person responsible for communicating and monitoring legal and corporate data privacy requirements at regional and operational level.
Safe third country is a country which the EU Commission deems to have an adequate data privacy standard.4

Sensitive data are special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and sexual orientation.
Third country is every country outside the European Economic Area (EEA5).

Third party is every individual or legal entity that cannot be assigned to the data controller, e.g. every external business partner but also any other company in the Group. Third parties are not the data subject himself/herself nor contract data processors within the European Economic Area (EEA).
Transfer of personal data is the forwarding of personal data, its distribution or all other forms of transfer to third parties. This definition also applies analogously to the words “transferred” and “transferring” when used in this context.

1

The Bayer Group means Bayer AG and all companies in which Bayer AG, directly or indirectly, holds more than 50 % of the shares or has comparable control rights.

2

Legal provisions applying to pharmaceutical research and development include, for instance, in Germany the Medicines Act (Arzneimittelgesetz), in Europe EU Directive 2001/20/EC Good Clinical Practices for the Performance of Clinical Trials, in the USA the Health Insurance Portability and Accountability Act and internationally the ICH Guidelines, especially E6 Good Clinical Practice (1996).

3

The EEA consists of the member states of the European Union plus Iceland, Liechtenstein and Norway.

4

As at August 1, 2006, these were Argentina, Canada and Switzerland as well as the agencies in the USA which are certified under the Safe Harbor Treaty.

5

The EEA consists of the member states of the European Union plus Iceland, Liechtenstein and Norway.

Contact


Responsible
Bayer Global Compliance
Dr. Roland Hartwig

Bayer Compliance Hotline

Last updated: December 15, 2014 Copyright © Bayer AG
http://www.bayer.com